Lucene search

WpvulndbWPVDB-ID:BCE8F1EF-F794-4857-A284-0AA864A36946

HistoryApr 11, 2024 - 12:00 a.m.

EmbedPress < 3.9.9 - Missing Authorization via handle_calendly_data

2024-04-1100:00:00

wpscan.com

embedpress

wordpress

unauthorized access

missing capability check

handle_calendly_data

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

39.1%

JSON

Description The EmbedPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the handle_calendly_data() function in versions up to, and including, 3.9.8. This makes it possible for unauthenticated attackers to update calendly settings.

References

www.wordfence.com/threat-intel/vulnerabilities/id/be33065e-dae8-44cf-9f8a-f9971f2743ff

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

39.1%

JSON

Related for WPVDB-ID:BCE8F1EF-F794-4857-A284-0AA864A36946